Cyber Security for Government Contractors

In October 2016, the Department of Defense (DoD) issued rule 252.204-7012 (DFARS 7012) that changed the Defense Federal Acquisition Regulation Supplement (DFARS) regarding Safeguarding Covered Defense Information (CDI) and cyber incident reporting. In essence, this provision requires DoD contractors to provide adequate security to safeguard CDI on unclassified information systems that support work under a DoD contract, and to complete the implementation of this process within 30 days of contract award and no later than December 31, 2017.

Where are we today with implementing adequate security? It’s August of 2017 and many defense contractors are becoming nervous if not downright panicked. To further complicate this mandate, the DFARS 7012 requirement is a flow-down clause, and specifically applies to subcontractors as well as primes. So, subs must report incidents to both the prime and the DoD directly. It is their responsibility.

But there’s more. To comply with DFARS 7012 and meet the “adequate security” threshold, defense contractors must adhere to the National Institute of Standards and Technology (NIST) SP 800-171 Revision 1 (R1) regulation. The DFARS clause also requires a detailed plan of action that describes how any unimplemented NIST 800-171 security requirements will be addressed.

Contractors that fail to comply with the DFARS 7012 clause, which calls for the implementation of NIST SP 800-171 R1, face serious risks with potentially damaging consequences. Here are just a few implications of non-compliance:

Termination for Default

Breach of Contract

Liquidated Damages

False Claims Act violation

While there are multiple methods of completing the compliance actions described above, including minimizing the scope of covered data and systems, DoD contractors do have a choice on how to operationally meet the DFARS 7012 requirement. Many are considering going it alone or keeping the IT job in-house, by managing their on-premises IT systems and implementing their own controls. Although a noble pursuit, this opens the organization up to extensive data security and business risks that, in the event of a breach, could do irreparable damage to the organization and employees, or cripple the core of its business.

An alternative to this is to work with a vendor who is able to perform assessment and/or gap analysis on existing IT systems, controls, infrastructure, etc., and patchwork the gaps.

Another (recommended) alternative is to outsource the management of IT systems, that store or process CUI, to a hosting vendor that is familiar with the NIST Cyber Security Framework and the Center for Internet Security (CIS) Controls, and who specializes in supporting defense contractors with DFARS, FAR and ITAR requirements. Furthermore, the vendor should have or be part of a greater partner ecosystem, ready and able to implement these controls, from providing secure configurations for network devices, to incident response and management, and providing malware defenses. This approach is highly recommended because it mitigates potential unidentified risks by an internal IT department, and spreads the various addressable actions across vendors who specialize in these areas.

In a nutshell, here is a checklist of the steps DoD contractors will need to follow in order to ensure compliance to DFARS 7012 by December 31st, 2017.

Roll out secure, cloud-based productivity and communications tools for maintenance and scalability

Although there is no one-size fits all for ensuring DFARS 7012 compliance, nor is there a vendor who can cover the gamut of requirements, there are options with vendor alliances who can spearhead a cybersecurity implementation. This begins with identifying implementable steps toward ensuring your organization is compliant by the deadline. If you would like more information on NeoSystems Corp DFARS solutions and services, and our extensive cyber-ready partner ecosystem, please contact Elizabeth Jimenez at ejimenez@neosystemscorp.com.